Justice Department balks at privacy provision in phone rules

JOHN DUNBARAssociated Press Writer

Published Monday, February 05, 2007

WASHINGTON -- Federal regulators working on rules to secure the calling records and other private information of telephone customers are running into resistance from phone companies and law enforcement agencies.

The rules, an effort by the Federal Communications Commission to combat "pretexting," are circulating among the commissioners for comment and may be voted on this month.

Pretexting is the practice of impersonating a phone customer to gain access to his phone records. President Bush signed a law last month criminalizing the practice and imposing penalties including up to 10 years in prison.

The issue gained prominence last year when executives of the Hewlett-Packard Co. were charged with hiring private detectives who used the technique to investigate board members.

The new law gives police a weapon to punish perpetrators. But it leaves out any requirements for how phone companies should protect their customers' private data.

Cell phone bills, for example, can reveal who a person has called and, in some cases, even the caller's location.

The FCC chairman, Kevin Martin, told reporters recently that the new rules will require that customers use a password to access their account information.

AT&T Inc. spokesman Michael Balmoris said the company has to be careful to balance security against customers' wishes for easy access to their information.

The rules also are expected to require that phone companies get a customer's permission before they can release information that may be used for telemarketing.

On the Net:

Federal Communications Commission: www.fcc.gov

Phone companies contend this requirement would violate their First Amendment right to communicate with customers -- a position that was backed by a federal court in 1999.

Phone companies say there is no evidence that information shared with business partners falls into the wrong hands, making the proposed requirement unnecessary.

The departments of Justice and Homeland Security have taken issue with two other possible provisions in the emerging rules, both of which have privacy advocates concerned.

The first would tell phone companies to destroy customer records as soon as the records no longer are needed for legitimate business purposes. The government wants the records preserved for possible use in criminal investigations.

Secondly, the two departments want phone companies to notify law enforcement officials first, before customers, when customers' private billing information has been disclosed improperly.

In written comments to the FCC, Deputy Attorney General Paul J. McNulty said immediately alerting customers in such cases may tip off investigative targets and lead them to destroy evidence, change their behavior or slip away.

He proposed that companies not tell customers for at least seven business days after notifying the FBI or the Secret Service.

For companies, this would mean they would have to determine, without the benefit of input from their own customers, whether an unauthorized breach had occurred. Companies also have raised questions about how such a notification system would work.

Consumer advocates are concerned a delay may result in more harm than good.

Jeannine Kenney, senior policy analyst with Consumers Union, said customers should learn immediately when someone is delving into their personal information.

"In fact, failing to notify a customer of a breach could impede prevention of actual harm or the commission of another crime," she said.